What do you and a Bank of America executive have in common? It may not be the number of zeros in your salary. But you both use laptops for business, and if you aren’t using desktop virtualization, you could also become a data theft victim like one Bank of America executive.

You may remember reading about the bank executive whose unencrypted laptop with customer information and sensitive corporate data was stolen a few years back. The contents of his hard drive were later extracted and made available on the WikiLeaks website. It was a leading story in the evening news.

Looking at those events, I wonder if Virtual Desktop Infrastructure (VDI) could have prevented these incidents and countless other data theft and virus cases.

Let thieves have the shell, you keep the pearlPearl divers love the hunt for the treasures inside the shelled homes of an ocean creature called the mollusk. Much like a computer information thief, the thrill of the steal is only the beginning. The real prize is what’s contained inside; information that, in the wrong hands, could harm a company's reputation and potentially impact its finances.

With VDI, you can turn the devices into simple shells and hold the real treasure -- the company information --in the data center with policies around access.

This means the virtual desktop access devices – thin clients, PCs, iPad, and other types of client hardware - become little more than empty shells.

Does VDI eliminate the need for antivirus software?Some IT admins have suggested antivirus software isn’t necessary for virtual desktops because of the inherent security virtual desktops provide. The concern of resource overload further encourages the removal of antivirus software.

Security benefits of VDI

User environments are contained within the data center, making them easier to access and repair.

A VDI design that utilizes cloned or single images can be easily restored to a clean state with a simple reboot or refresh.

A VM running on a client hypervisor (such as XenClient) can easily be destroyed or restored

VDI allows for tighter controls of data transfer such as limiting USB drives and file uploads.

But the merits of antivirus software are still valid in a VDI environment. Image restoration and centralized control are excellent methods of preventing or slowing the spread of a virus, but they do nothing to prevent the initial infestation. Even if you enforce strict policies for data transfer, the numerous ways of transferring files (including email viruses that get past the email scanner) means that even a virtual desktop has risk exposures.

McAfee and Symantec recently announced that their software will operate more intelligently in VDI environments, and Symantec published a whitepaper showing how Symantec Endpoint Protection (SEP) version 11 includes enhancements for virtual desktop environments. Additionally, they announced at the recent Symantec Vision Conference that SEP version 12 will have further enhancements including awareness of cloned images and over 90% reduction of IOPS in VDI environments.

Data encryption on local drives is not enoughOf course, some say that encryption for traditional PCs is sufficient. There are excellent products on the market, such as Symantec's PGP Whole Disk Encryption (WDE) that create a security "force field" around local hard drives.

The problem is, when the data on a device is no longer in the physical control of the employee or the IT department. To trigger the "poison pill" built into the PGP-compliant chipset, the device needs to reconnect to the public network and receive the command to “swallow the pill” to disable itself.

The PGP security administrator could set a policy forcing systems to rendezvous with the security controller within a predefined time period. If the system misses the rendezvous, it commits hari-kari. It sounds like a James Bond spy movie, and that’s the problem; it’s closer to make-believe than reality.

Those of us in the real IT world know how impractical this feature is in most enterprises. I liken it to a loud car alarm that goes off for 15 minutes before the neighbor calls the police, who arrive 10 minutes later. A professional car thief breaks into a car and hot-wires it under one minute. Similarly, a savvy data thief can extract data from storage media before the next scheduled rendezvous.

If you keep all the data in the data center and present that data via virtual desktops, implement data extraction policies and monitor/control/protect data in transit out of the data center, you preserve the most valuable asset a company has -- information.

VDI is not the answer to all desktop security problems, but together with antivirus software, it is a strategy that should be considered for today’s toughest security challenges.

ABOUT THE AUTHOR:Eugene Alfaro leads IT Engineering for Cornerstone Technologies, an IT engineering services firm in San Jose, CA. He has architected, managed and operated corporate IT environments for multi-national companies since 1998. He has been a speaker on topics such as virtualization, WAN optimization, enterprise storage, Voice-over-IP and others.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.